Our QA noticed an odd artifact:
- Configure SCIM
- Add Group A to Push Groups
- Add Application to Group A
a. Users in Group A are provisioned as expected
- Remove User U from Group A in Okta
a. Deactivate is sent via PATCH
b. User remains in Group A in application
- Add application to User U, either directly or by adding them to Group B
a. User U remains in Group A in application, no remove is received
Our best guess is that Okta sees the user no longer has the application assigned, deactivates them, and then the Group removal is no longer relevant to the application, since they no longer have it assigned. Then when the user is re-added to the application, Okta does not do a “sanity check” to ensure the user’s Group Memberships are accurate.
Is our assessment correct? Is this a bug on Okta’s side or intended behavior?